2. The way to see if your DNS is good is to see if the port randomization is great if it says “poor” then TELL YOU ISP AND TELL THEM TO PICK UP THE SLACK AND UPDATE IT AND ALSO ITS FREE TO UPDATE!!!!!!!!!!!!!!!!!! All of the sites I listed can check if your DNS is good or bad but remember it can spoof DNS so from sites can give you a false positive witch means can lie to you. The way to know for sure is you can make sure you have an https:// at the beginning or your URL which means secure connection witch can’t be spoofed. If your DNS is compromised you can use a service called OpenDNS witch is free and probity a lot faster then your DNS and more secure because the only thing the do is keep their DNS Servers up-to-date always. They have a network of them all across the world witch means it is also more reliable. If one DNS is different than all the rest then it will change back. That is why it is more secure also they are not comprised because all of their DNS Servers were patched on the day it came out. It is faster, more secure, more reliable and the best thing it is FREE!!!!!!!!!! For more info about OpenDNS go to http://opendns.com/

That is the only advice i can give you to keep your DNS Servers safe and spread the word about this flaw and we might change the way we shop online and feel safer on it too. Everyone deserves a safer and faster web for half the cost…well we can do the safer and faster for now.

P.S. Open DNS servers isp is 208.67.222.222 and secondary server id 208.67.220.220 just if you want to know.

In News of the DNS flaw Kaminsky (finally) provides DNS flaw details. “In his first public comments since his Domain Name System (DNS) cache poisoning flaw was made public, Dan Kaminsky said in a conference call on Thursday he doesn’t want to parse who said what when. He just wants everyone to understand that they must patch their systems now.” -Cnet.com Also Steve Gibson talks about the flaw in his podcast he does every week in episode #155 Bailiwicked Domain Attack & also episode Listener Feedback #47.

“This would be less of an issue if the widely released patch from two weeks ago had been fully deployed, but a number of companies or ISPs don’t seem to have gotten the memo. Accordingly to Kaminsky, some 52 percent of DNS servers are still vulnerable to the attack. This is a marked improvement from the 86 percent vulnerability rate in the days immediately following the patch’s release, but it’s still far too high, especially with dangerous code now squirreling its way across the Internet. Patch deployment is not an instant process, even if the company is on the ball, but we’ll hopefully see the number of patched DNS servers skyrocket in the next few days.

Some publications have dubbed the attack Metasploit, but that term refers to the open-source Metasploit Framework that was used to develop it. As for the exploit itself, it’s a new variation on a classic DNS poisoning theme. It disrupts the normal translation functions of a DNS server, causing it to redirect users to websites other than the ones they intended to visit. A poisoned DNS server, for example, could send someone to http://www.RussianMalware.com when they had actually typed http://www.google.com into the address bar. DNS poisoning isn’t new—vulnerabilities have existed for over a decade—but the one Kaminsky discovered increases the power of a successful attack.

Kaminsky has now detailed the methodology of a standard DNS poisoning attack and provides additional information on the vulnerability he discovered. As he describes it, a DNS lookup request is essentially a race between a good guy and a bad guy, each of whom possess certain advantages. The good guy knows when the race begins, and he knows the secret code that’s been sent along with that request in order to verify that the response coming back is actually authentic. The bad guy doesn’t have this code, but he actually decides when the request goes out, and he knows about the request before the good guy does.” -arstechnica.com

This problem was found by Dan Kaminsky a wile ago and ISP’s did not listen to him so he went public and now the world knows the problem and how to exploit it. “He just wants everyone to understand that they must patch their systems now.”

“While most of the burden is on the Domain Name System servers and the various systems that support them, the nature of the flaw is such that desktop clients also need to patch their software as well.”

“Still, in the end, protection from any DNS exploit also depends on your upstream ISP providers. As of Monday, researcher Neal Krawetz was reporting that servers at several high-profile ISPs remained vulnerable. ”

If you want more info about your DNS and if it is safe go to my other post called “Test your DNS NOW!!!” also if you want more info listen to Steve Gibson on episode #155 Bailiwicked Domain Attack & also episode Listener Feedback #47, at https://www.grc.com/securitynow.htm (Secure connection) or SSL or at http://www.grc.com/securitynow.htm for unsecure. If you want to visit Dan Kaminsky at his blog at http://www.doxpara.com/ or on twitter at dakami. Ohh… one more thing Steve Gibson said that if you go to any site that is on an SSL (Secure Connection) This will be the right sight and can’t be spoffed because they would not allow the certificite for the site to go through because it goes on 443 not 80. Also if you want to laugh or cry or whatever you think this is you can read a poem about the DNS flaw and Dan Kaminsky.

“He decided than rather to disclose all at once he’d instead only tell people who’d fix it in months So some meetings were had and work soon began vendors wrote patches coordinated by Dan Fast forward some time out the closet it came some researcher types got into the game Dan’s rules were quite simple, that in 30 days he’d present during Blackhat and we’ll all be amazed A bunch of big egos called Dan on a bluff said his vuln was a copy of 10 year old stuff So Dan swore them on handshakes and details were provided and those same cocky claims soon all but subsided It seems that Dan’s warnings weren’t baseless at all Said the same skeptical hackers ‘the risk isn’t that small!’ So Blackhat was nearing the web didn’t break then out came a theory from our friend Halvar Flake No sooner had he posted and described the vuln’s guts than Matasano’s blog surfaced, kicked the web in the nuts It said ‘Halvar’s right!’ we’ll no longer keep quiet. The post’s ripple effect caused a nasty ‘net riot The blog quickly was pulled but the cat’s out of the bag the arms race began since there’s no longer a gag Meanwhile the issues of honor and trust rehashed the debate of when disclosure goes bust So Dan’s days of thirty we never did see thirteen is OK but I issue this plea When researchers consider how to disclose and thus when will you think of the users? How it might affect them? This ego-fueled rush to put your name on a vuln has a much bigger impact than you might have known If the point here is really to secure and protect then consider what image you really project In this case the vuln. is now in the wild an exploit is coming DNS soon defiled The arms race has started and the clock now is ticking If you haven’t yet patched you’ll soon take a licking I’m not taking sides really on the disclosure debate but rather the topic of patch early or late What good is disclosure if the world couldn’t cope with the resultant attacks if we’ve all got just hope? There’s two sides to this issue both deserve merit but Dan’s rep has been smeared I say let’s just clear it”